Reuters cited three anonymous sources with knowledge of Marriott's investigation. The New York Times and Washington Post filed similar reports. Chinese government officials deny the country was involved.

Although the investigation is ongoing, the New York Times reports that private companies brought in to analyze the Starwood intrusion saw "computer code and patterns familiar to operations by Chinese actors." It reported that the hackers may be connected with China's Ministry of State Security, a civilian spy agency.

In an interview on Fox & Friends on Wednesday, Secretary of State Mike Pompeo appeared to confirm the belief that China is behind the Marriott attack. Pompeo spoke broadly about Chinese intelligence operations, and said "That's right" when the host suggested the Marriott hack was the latest example.

Accurate Attribution?

Reuters reports that its sources say the tools, techniques and procedures - a trio of indicators studied in cyberattacks - used in the Marriott breach have been used in previous breaches attributed to China.

But Reuters' sources also said some of hacking tools seen have been available online, making it possible others are to blame. Computer security experts often caution about attribution because intruders can use a variety of techniques to leave misleading forensic clues.

Malware that may be linked to China doesn't necessarily mean Chinese hackers are in the network, writes Jake Williams, founder of Rendition Infosec, an Atlanta-based security consultancy.

China is "by far the easiest to false flag," Williams writes in a tweet. "So much of their malware is widely public (e.g. anyone with a VirusTotal account can download builders)."

I said this days ago. Just because you have malware linked to China doesn't mean you have Chinese hackers in the network. They're by far the easiest to false flag. So much of their malware is widely public (e.g. anyone with a VirusTotal account can download builders).

Thomas Rid, a professor of strategic studies at Johns Hopkins University's School of Advanced International Studies, writes on Twitter that it's "plausible" China is behind the intrusion. But he cautioned that the suggestion is a big claim that's being made without forensic evidence at a particularly sensitive time between the U.S. and China.

Trio of Mega-Breaches

If investigators' hunches are accurate, China would be to blame for three of the biggest intrusions that occurred since 2014: the U.S. government's Office of Personnel Management, the health insurer Anthem and now Marriott's Starwood.

As with the OPM hack and Anthem, none of the Marriott data apparently has shown up for sale in underground online markets, which some have suggested is a sign of a state-sponsored operation rather than one criminal one.

For 327 million accounts, name, postal address, phone number, email address, passport number, birth date and travel data was exposed. For some of those accounts, encrypted payment card numbers and expiration dates were also exposed, as was potentially the information attackers would have needed to decrypt the payment card data. For the remaining accounts, less sensitive data, such as postal address, email address or other information, was leaked. So far, Marriott has not released information on how the hackers got inside the reservation database.

The New York Times notes that Marriott is the significant provider of accommodations for U.S. government employees and military personnel.

Anthem, formerly known as WellPoint, disclosed in February 2015 that attackers gained access to a corporate database and stolen more than 79 million records containing patient and employee data (see: Anthem Hit by Massive Data Breach).

Volatile Times

China's suspected involvement in the Marriott hack adds to rising tension with the U.S. The two countries are hashing out a trade agreement that President Donald Trump hopes will remove protectionist barriers and open new markets for U.S. companies.

Also, the Wall Street Journal reported on Dec. 6 that the Department of Justice is close to unsealing charges against members of the Chinese military for the so-called Cloudhopper attacks, which compromised managed service providers and managed security service providers. That attack group is also sometimes referred to as APT10.

Yet another conflict is the arrest of Huawei CFO Meng Wanzhou, the daughter of company founder Ren Zhengfei. She was detained in Canada at the request of the U.S. related to alleged violations of sanctions against Iran.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.